Series Introduction

Networks dominate today's computing landscape and
commercial technical protection is lagging behind attack technology. As
a result, protection program success depends more on prudent management
decisions than on the selection of technical safeguards. Managing
Network Security takes a management view of protection and seeks to
reconcile the need for security with the limitations of technology.

Terrorism

I have heard a lot about cyber terrorism over the
last several years, and you have probably heard your share as well. As
I am a scientist by training, nature, and desire, I have a basic
approach to all problems - the method (no - not acting). The method
says that you create hypotheses, do experiments to try to refute them,
and get refutations or confirmations that are then used to adjust the
theory (or not). In the case of cyber terrorism, theories abound.
Every pundit on the planet seems to think they know something - but few
of them know very much. The problem is that there is no good way to do
experiments. So we fall back on investigative skills as the only
alternative to experiments for differentiating sound candidates from
foolishness.

Most people who start talking about terrorism begin
with a definition or some such thing. I will not. For my purposes I
just assume that terrorists are people listed on the US State
Department's list of terrorist organizations. If I miss a few it
doesn't matter because there are so many on the list I can never get
through them all anyway. If I include some who are not really
terrorists by your definition, don't be offended - I didn't write the
list. And who makes the list is not as important as the basic notion
anyway.

The basic notion that I have about trying to
understand cyber terrorism is that it can only be done by looking at one
group at a time. You look at group after group after group and try to
understand all you can about them in the available amount of time. Then
you start to draw conclusions as you see the forest emerging from all
those trees.

The Trees

You might reasonably ask how many trees I have
looked at on my quest to understand the forest. At this point I have
had students in graduate classes and professional researchers working
with me for a number of years on this subject. The net effect is that
we have done mid-level depth studies on about 20 terrorist groups in the
last few years. Earlier studies are probably not all that relevant to
the cyber terror issue.

In your walk through forests, you might have noticed
that besides the trees, there are some other things there - like the
moss and grass and animals, etc. In the cyber arena, there are also
things besides terrorist groups, and you have to understand them in
order to understand how the terrorist groups might be able to exploit
information technologies to their ends. In this arena I have a lot of
experience, having done lots of work on critical infrastructures and
consulting for corporations and governments over the years.

Of course the forest lives in an overall
environment, as does information technology. If cyber terrorism is to
be understood, it must be understood in context. The context of the day
is focussed on the so-called Middle East - that region at the
intersection of Africa, Asia, and Europe that is mostly desert and
sitting on top of a huge oil field. Both historically, because of trade
routes, and currently, because of the oil trade, this region has been
and is today, critical to the wealth of nations. The predominantly Arab
population of the region wants Israel out of there and the 'West' (that
being mostly the US and Western European nations) wants Israel to
remain, for reasons ranging from religious heritage to strategic
positioning (e.g., Keep the peoples of the region at war and they will
not realize that they are squandering their wealth buying guns from the
West in exchange for the oil they sold to the west - leaving them with
old guns that are only useful for fighting each other anyway). Of
course there are lots of other terrorist groups that are lower profile
today, but rest assured, they are still out there.

The Forrest

It should not be a big shock coming from me that I
will take the approach that risks are a result of a conspiracy of
threats, vulnerabilities and consequences. After all, I have written
about it in this column a few times a year since 1995. In order to
understand the forest, we must take the trees, mosses, other living
creatures, and the outside environment into account, or we certainly
miss the big picture. From this perspective, the only difference
between cyber terrorism and other areas of information system abuse is
the threat. The vulnerabilities that are present in information
systems and the range of consequences of the exploitation of those
systems by threats is more or less the same regardless of who the
attacker is. This not strictly true because different threats have
different combinations of things they apply with different levels of
simultanaety toward different ends.

So if we are to understand this forest, we might
want to start by looking at what consequences a terrorist organization
might reasonably seek through cyber space. That's what a lot of folks
do - they start by trying to find enormous consequences and see if they
can back track those consequences to some sequence of acts that could be
done by terrorist organizations. How about starting with the end of the
world as we know it and seeing if terrorist groups could do it? Let's
see, how would we end the world, and could we find a way to do it within
the means of terrorists?

The terrorists are at somewhat of a disadvantage
here because, for the most part, they really don't want to end the
world, even if some of them are willing to brainwash other parents'
teenaged children into committing suicide 'for the cause'. Indeed, they
are sitting on the attacker's side of the fence - seeking insiders to
take advantage of systems, trying to get and keep funded, working to get
explosives and cache them where nation states won't take them away,
trying to recruit pre-brainwashed teenagers and steep them in propaganda
for a lifetime of exploitation, and so forth.

What You Do

Of course we all care about the terrorist situation
and the loss of life happening every day in the regions of conflict, but
this does not make it a critical part of our everyday work life. Even
if a terrorist group could end the world via cyber attack, it would have
very little to do with what most of you do every day. So another issue
that has to be considered is how cyber terrorism impacts what those who
manage network security do. That has more to do with what the
terrorists do every day than the one-off events they may be able to
create on rare occasions. And indeed, if we can address the everyday
issue, the one-off issue will be far less likely to ever happen.

So let's assume for the moment that we could focus
our resources on fighting cyber terrorism in our organizations. What
would that mean to most of us? Probably very little. Indeed, most of us
are already defending our information systems by managing risks. The
overall theory is that if each of us manages risks reasonably well, then
in the aggregate we will manage the overall risk reasonably well and we
will all be the better for it.

But unfortunately, this falls over when it comes to
issues like cyber terrorism. The reason for this is that the successful
terrorist sits closer to the edge of our risk management spectrum than
its center. The terrorist typically remains low profile until they
become very high profile for a short period of time. They are trained
in infiltration - which is to say - they are supposed to act assimilated
until they do their big terror thing. If they commit crimes all along
the way, it will be more likely that we will catch them along the way,
so they try to keep a low profile, work their way into the desired
position for the mission over a period of years, and then strike when
the opportunity is right. As we all know but few admit, insider threats
are dealt with poorly by our risk management processes.

What Terrorists do in Cyberspace

So if we are going to look out for the cyber
terrorists, it will probably be helpful to know what to look for. I
cannot tell you what will happen in the future. If I knew, I would
probably keep it to myself anyway. So all I can really do is tell you
about the past. Recent history shows that terrorists do the following
things in cyberspace:

Planning: Information technology is used
to plan terrorist operations. This generally includes intelligence
gathering, analysis, coordination of personnel and equipment, and other
aspects of operations. If you encounter a planning process or system,
contact local authorities right away - do not pass go - do not go
through normal corporate processes to avoid potential liabilities or
anything like that. If a terrorist detects that you have detected their
planning system, you will probably be killed as soon as possible, so
don't wait around. They will also move on and others will get killed
unless they are stopped, so be quick about it.

Finance: Information technology is one
of the keys in the financial system of terrorist organizations. They
use information system to get funding, track books, move money around,
coordinate financial actions, and make purchases. Funding often goes
through so-called charitable donations, through computer crimes like
credit card theft, through solicitations of any sort, and naturally,
through the drug trade. The drug trade is facilitated by information
technology in the money laundering and funds transfer arenas as well as
acting as a communications media for the sales and delivery process. As
with planning, detected systems and networks should be reported to law
enforcement, in this case at the federal level. The risk to life tends
to be lower in the finance arena than in the planning or operations
arena and these systems tend to persist longer and be more deeply
embedded in communities. In cases involving computer crimes, it is
important to report to authorities so they can coordinate the actions of
groups across many small activities to see the bigger picture.

Coordination and operations: Many
activities are coordinated through information technology. This ranges
from the transmission of 'go' signals for coordinated starts of
operations, to synchronization of global activities, to arrangements to
meet incoming shipments, to digital versions of dead drops. The
convenience of information technology on a global scale makes it ideal
for small groups to act on a globally coordinated basis with relative
safety through encryption and steganographic technologies combined with
anonymity. Information technology in the form of radios, telephones,
and pagers, is used as an operational tool all the time. Computers are
also used in real-time for activities ranging from checking identities
to determine who to keep in a kidnap operation to satellite links for
tracking ongoing operations via the media. With increasing frequency,
information systems are being exploited to facilitate operations or as
the objective of an operation. If you encounter a computer used in
terrorist coordination or operations, you should immediately call the
authorities. Chances are you will not be close enough to a real
terrorist to get killed right away, but just in case, do it sooner
rather than later.

Political Action: One of the key
efforts or terrorist groups is the use of information technology to gain
political action and attention. This ranges from high profile web sites
that urge supporters to contact their congress-people to sites that give
detailed instructions on how to hold protests for maximum media effect.
These sites are legal, as long as they are created in a legal manner.
They are interesting to read because they clearly show that these
organizations are oriented toward media attention and that most if not
all of the street protests and similar activities are not spontaneous -
they are planned media events.

Propaganda: Many web sites are used by
terrorist organizations as part of their propaganda machines. These
sites actively promote the ideals of the movements, provide selected
facts and lots of misleading statements, include pictures that are
identified as one thing when they are in fact something else, and so
forth. They include smear campaigns, pictures of blown up bodies,
ancient propaganda as the basis for current propaganda, and so forth.
For the most part, these sites are legal and designed to support current
and future membership by providing support for their pre-existing
notions and giving them 'facts' to back up their beliefs. The vast
majority of the information is not directly false, but is clearly
slanted. You should probably block these sites from corporate access or
identify those within the organization that go there often from work.

While there are some other ways that terrorist
groups might use information technology, the vast majority of activities
to date have been in the areas described above. There have been
outliers - ranging from the use of a chat room by a Palestinian group to
lure and kill an Israeli teenager - to the attempts to break into US
energy companies by middle Eastern groups - to the sale of software to
run police systems by the Aum Shinrikyo group in Japan - to the
exploitation of laser-based remote bomb controls by the IRA. Obviously,
if you encounter anything like this you would want to report it to
federal authorities right away.

Conclusions

Just as business has prospered in the Internet era
because of the efficiencies associated with deeply embedded information
technology, criminal and terrorist groups have taken advantage of the
technology to their own ends. Technology brings efficiency to all who
use it.

From the perspective of the security manager, cyber
terrorism has not changed much about the way you operate, but it does
produce some changes in the way you might respond to incidents. In
particular, it should produce changes in the response processes and
policies with regard to Internet use.

I have said for some time that many unreported
criminal activities exploiting information technology should be
reported. This might be viewed as an excuse for pushing that policy
forward. It is not an excuse for it, it is merely another example of
the importance of recognizing criminal activity and dealing with it. In
this case the criminals will kill people who find them out, so it is
more severe than many of the insider crimes that most security managers
cover up from time to time.

About The Author:

Fred Cohen is researching information protection as a
Principal Member of Technical Staff at Sandia National Laboratories,
helping clients meet their information protection needs as the Managing
Director of Fred Cohen and Associates, and educating cyber defenders
over-the-Internet as a practitioner in residence in the University of
New Haven's Forensic Sciences Program. He can be reached by sending
email to fred at all.net or visiting http://all.net/